public async Task <TResponse> HandleAsync(TRequest message)
{
var permissionAttribute = typeof(TRequest).GetCustomAttribute <ResourceAuthorizeAttribute>();
bool hasAccess;
if (permissionAttribute == null)
{
// TODO - throw exception or allow commands with no permissions?
hasAccess = true;
}
else
{
var context = new ResourceAuthorizationContext(userContext.Principal,
new[] { ActionFromAttribute(permissionAttribute) }, ResourcesFromAttribute(permissionAttribute));
hasAccess = await manager.CheckAccessAsync(context);
}
if (hasAccess)
{
return(await inner.HandleAsync(message));
}
throw new SecurityException("Access denied.");
}
public void Anonymous_Cannot_Access_Album()
{
var ctx = new ResourceAuthorizationContext(Anonymous,
ChinookResources.AlbumActions.Edit,
ChinookResources.Album);
Assert.IsFalse(subject.CheckAccessAsync(ctx).Result);
ctx = new ResourceAuthorizationContext(Anonymous,
ChinookResources.AlbumActions.View,
ChinookResources.Album);
Assert.IsFalse(subject.CheckAccessAsync(ctx).Result);
}